GDPR: the right to be forgotten

The EU’s General Data Protection Regulation (GDPR), effective May 25, 2018, regulates how businesses can collect and process the personal data of EU citizens. Any business—even one based outside the EU—that has EU users must be in compliance with the GDPR. The regulation affords EU citizens certain rights over their personal data, for example:

  • The right to access: upon request, the business must send the user a digital copy of their processed personal data
  • The right to be forgotten: the business must delete all the personal data they have on an EU citizen upon request

In accordance with article 17 of the GDPR, you must notify Adjust when a user has exercised their right to to be forgotten. You can inform Adjust of a user’s decision through a call to our GDPR API endpoint or using the Adjust SDK. 

Once Adjust has been notified: 

  • we will permanently delete all of the user’s historical personal data from our internal system;
  • we will no longer receive the user’s information from the Adjust SDK; and
  • the device’s data will no longer appear anywhere in the Adjust dashboard.

Requirements for GDPR API integration, instructions for Adjust SDK configuration, and real-time callback setup can be found below.

Important note for testing: Please exercise extreme caution when testing the API endpoint or SDK method using a personal device ID. When Adjust is notified of a user’s request to be forgotten, the subsequent process is permanent and cannot be reversed. Adjust will never be able to reinstate the device’s data or receive requests from that device for any reason.

GDPR API requirements

To integrate with the Adjust GDPR API, you will need to configure your servers to send a set of mandatory parameters (listed below) to Adjust through an HTTP GET request to our designated endpoint URL found below.

Endpoint URL




  • app_token
  • s2s
  • One of the following:
    • idfa
    • idfv
    • gps_adid
    • fire_adid
    • win_adid
    • adid
ParameterExample valueValue description
app_tokenrn4g67fue5e3The Adjust app token from the dashboard
s2s1Value must be 1
idfa8C6CBCOD-5F43-4765-A6E6-84DFF3D24707iOS ID for advertisers
idfvCCB300A0-DE1B-4D48-BC7E-599E453B8DD4iOS ID for vendors
gps_adid38400000-8cf0-11bd-b23e-10b96e40000dGoogle Play Store advertising ID
fire_adid63c5519b-7e66-7ee6-aa5d-3b290743811fFire OS advertising ID 
win_adid107e8ea14329d4a2194ebbb6dc0c0fd7Windows advertising ID
adid18546f6171f67e29d1cb983322ad1329Adjust device ID

Example request


Request responses

Status codeDescription
200OK; request was received and processed
400Bad request; formatting error or invalid app token; if you are unsure of how to correctly format your request, contact your account manager or support@adjust.com
429Too many requests; you have exceeded the request rate limit set to protect against abuse and will have to resend the request later
451Unavailable for legal reasons

Adjust SDK requirements

To notify Adjust of a user’s request to be forgotten through the Adjust SDK, you first need to download and set up the Adjust SDK for your platform. Follow the instructions linked below to get started.

⚙️  This feature requires Adjust SDK v4.13 and later.

Once you have the Adjust SDK installed and configured, follow the guides linked below to use this feature:

📖 iOS / Android / Windows / Adobe Air / Unity / Cordova / Marmalade / Xamarin / Cocos2d-x / React Native / Titanium / Corona

How to receive right-to-be-forgotten activity from Adjust

When Adjust receives a request to be forgotten, you can be notified via Adjust’s real-time callbacks and our Amazon S3 bucket integration. 

Enter a callback URL for the erased users (GDPR) real-time callback or include the erased users (GDPR) event type in your Amazon S3 bucket upload. If you want to receive right-to-be-forgotten information through your global callback, make sure you include the {activity_kind} placeholder, which will be filled with gdpr_forget_device when the callback is fired for a right-to-be-forgotten request.